Cloud Insight Essentials FAQs with Amazon GuardDuty

General

What is Cloud Insight Essentials?

Alert Logic® Cloud Insight™ Essentials is an Amazon Web Services (AWS)-native security service that continuously discovers and assesses your AWS workloads and EC2 instances for vulnerabilities and misconfigurations that don’t follow AWS Security Best Practices. When integrated with Amazon GuardDuty™, Cloud Insight™ Essentials will automatically show you why, where, and how to respond to Amazon GuardDuty™ findings—and provide you with short- and long-term recommendations to stop active attacks now, and to prevent similar attacks in the future.

With Cloud Insight Essentials you can Launch essential security in minutes, with minimal permissions, zero footprint in your AWS environment, and no security experience required so you can easily:

Continuously discover your AWS assets across multiple accounts—viewed through an interactive topology map that shows you the exposure status of each asset, and how each asset connects to other assets.

Take action sooner with incident response support that explains GuardDuty findings, shows how it impacts your current assets and recommends which actions to take first.

Try Cloud Insight Essentials completely free for the first 30 days, then pay a monthly fee of $49 per AWS account. Go to AWS Marketplace to get started and start seeing results in minutes.

Who is Cloud Insight Essentials for?

Anyone who wants to improve the security posture of their AWS environments without having to become an advanced security expert. The user interface and RESTful APIs make it ideal for Application, DevOps and other IT professionals to get started in minutes.

What is the difference between Cloud Insight™ and Cloud Insight™ Essentials?

Yes. Using Cloud Insight Essentials helps you address your responsibilities in ensuring that your AWS services are securely configured, and that you can quickly respond to suspicious activity detected by Amazon GuardDuty.

Enabling continuous software vulnerability scanning of your EC2 instances helps you identify CVE vulnerabilities and software configurations that could be exploited by attackers.

Amazon GuardDuty Support

How does Cloud Insight Essentials help me with Amazon GuardDuty?

Cloud Insight Essentials makes it easier for you to respond to GuardDuty findings. Alert Logic security experts review all GuardDuty threat detections (called findings) and provide threat descriptions and prioritized short- and long-term recommendations to stop active attacks immediately, and to prevent similar attacks in the future. Using Cloud Insight Essentials with GuardDuty you can:

Better understand the cause of GuardDuty findings and the impact to your AWS workloads

See historical trends with GuardDuty findings and prevent future findings from happening again

Run reports that combine GuardDuty findings with other security threats to see which AWS accounts and workloads present a high-security risk

Do I need Amazon GuardDuty to use Cloud Insight Essentials?

No. You can use Cloud Insight Essentials for automatic environment discovery and configuration exposure management to prevent compromises. You can enable incident response support for GuardDuty at a later time.

I just got an Amazon GuardDuty finding, now what do I do?

Using Cloud Insight Essentials, navigate to the Incidents tab to search or drill-down to the specific finding, review the threat description and enriched investigation report, follow the step-by-step guidance to stop the immediate threat, then follow the step-by-step structural guidance to reduce or prevent future occurrences.

How do I visualize Amazon GuardDuty findings?

Each GuardDuty finding will be displayed in the Cloud Insight Essentials Incident tab along with a topology view to see the targeted asset and associated Subnet, VPC, Region, Security Group and custom tags.

For every finding, Cloud Insight Essentials will provide an Investigation Report that provides a detailed explanation of the finding, with links to industry articles about the threat. You will also be provided step-by-step recommendations of what to do in your AWS account to see if the threat caused other compromises, and how to prevent it from happening again. See an example below.

How does Cloud Insight Essentials integrate with Amazon GuardDuty?

You can integrate GuardDuty with Cloud Insight Essentials by using our CloudFormation template which deploys a Lambda function and a CloudWatch Events collector. This CloudWatch Events collector gathers all GuardDuty findings and forwards those to Cloud Insight Essentials. When Cloud Insight Essentials receives the findings, the service augments the data by providing more, detailed information about what to do with every finding and how to prevent the finding from occurring again.

Asset Discovery

How does Cloud Insight Essentials discover my AWS environments?

After you create your deployment for the AWS accounts you want to monitor, Cloud Insight automatically discovers and presents you with all the Regions, VPCs, Subnets, and EC2 instances discovered in your configured AWS accounts in an interactive topology view.

What types of changes does Cloud Insight Essentials detect?

After you create your deployment for the AWS accounts you want to monitor, Cloud Insight Essentials starts to using AWS APIs and scan AWS CloudTrail events and presents you with all the:

Configuration Checks

Cloud Insight Essentials performs over 90 checks on your AWS account including the following services:

EC2

S3

CloudTrail

IAM

ELB

Auto Scaling

Route53

RDS

RedShift

VPC

What can I do with configuration check findings from Cloud Insight Essentials

You can view a list of recommended remediation actions that are automatically prioritized by severity and effectiveness for improving your overall security profile.

Vulnerability Scanning

How soon are new instances scanned for vulnerabilities?

New instances are usually scanned within an hour, sometimes sooner. After that they will be scanned once every 24 hours unless a change is reported by CloudTrail, in which case the instance will be rescanned ahead of normal schedule, usually within an hour.

Can I run authenticated scans?

Yes. Within the Cloud Insight UI, you can provide credentials for your Linux and Window systems to perform authenticated scans in addition to unauthenticated scans.

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

PCI DSS 3.2

11.2.1

Perform network vulnerability scans by an ASV at least quarterly or after any significant network change

PCI DSS 3.2

11.2.3

Perform internal and external scans, and rescans as needed, after any significant change.

General Data Protection Regulation (GDPR)

Article 32 (1)

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk

General Data Protection Regulation (GDPR)

Article 32 (1)(b)

Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

AICPA SOC2 Trust Service Principles

CC 5.6

Unauthorized External Access - Logical access security measures have been implemented to protect against unauthorized Security and Availability threats from sources outside the boundaries of the system.

AICPA SOC2 Trust Service Principles

CC 6.1

System Vulnerabilities - Vulnerabilities of system components to Security and Availability breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities.

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

HIPAA HITECH

164.308 (a)(4)(i)

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part

Reporting

What kind of reporting options does Cloud Insight Essentials provide?

Cloud Insight Essentials includes reporting for:

Environment Exposure Trends

Exposure Assessment Trends report allows you to analyze the overall exposure and average exposure, per vulnerability, of Cloud Insight environments over a selected time period.

Severity Trends report allow you view the percentage of hosts with the worst exposures in the high, medium, and low rating categories with a graph to determine whether you are adequately addressing exposures.

Vulnerability Analysis

Vulnerability Explorer reports allow you to explore the exposures in your environments through interactive histograms that group exposures by CVSS score.

Vulnerable Host Explorer reports allow you to explore patterns within host-specific exposures, and provides an interactive, visual representation of exposures, grouped by both image/AMI and VPC.

Vulnerability Reports

List of Vulnerabilities report returns a tabular list of all current vulnerabilities, details about each vulnerability, and information about the assets affected by the vulnerability.

Amazon GuardDuty Incident Reports

Incident Daily Digest report displays the incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level, classification type, or by GuardDuty findings.

Risk Summary report displays the risk level for a selected group of assets by incident count and average exposure score. The quadrant where the selected asset group appears, and its color, indicates the risk level for the assets.

Targeted Deployment Explorer report displays an incident distribution, by AWS asset or Account ID, within your deployments, with filters to see results by one or more asset types and one or more categories.

Note: one of the first remediation recommendations you will see in the portal will be to enable Amazon GuardDuty and deploy CloudWatch Event collectors. Once the collectors are in place, Cloud Insight Essentials will be full provisioned.

How do I integrate with Atlassian JIRA?

The Cloud Insight Add-on for JIRA integrates Cloud Insight remediations as JIRA issues, which allows you to configure, manage, and assign issues to JIRA teams. JIRA team members can use the add-on to review, and then dispose assigned remediations.

Pricing

How much does Cloud Insight Essentials cost?

Cloud Insight Essentials is $49.00 month (USD) per AWS account and is available through AWS Marketplace.

How much does Cloud Insight cost?

Cloud Insight is $49 month per AWS account, plus charges for the number of EC2 instances scanned for vulnerabilities (configurable)—ranging from $0.011 to $0.004 per hour for each EC2 instance scanned per hour. Examples:

One AWS account and vulnerability scanning for up to 50 EC2 instances

$49 x 1 AWS account = $49 per month

$0.011 x 50 instances x 730 (hours in month) = $401.50 per month

Total = $450.50 per month

Two AWS accounts and vulnerability scanning for up to 100 EC2 instances

Where can you buy Cloud Insight?

The full version of Cloud Insight can be purchased through AWS Marketplace or directly from Alert Logic.

Cloud Insight Essentials customers can upgrade to the full version of Cloud Insight in the application and AWS Marketplace billing will be updated automatically. Note: Vulnerability scanning requires an Alert Logic instance deployed in each VPC.

Are there any upfront commitments with Cloud Insight Essentials?

No. Cloud Insight Essentials uses the AWS Marketplace SaaS metering service, which allows you to use the service and pay an hourly fee with no commitments. You can cancel at any time and you only pay for what you use.